Policy | Security | Investigation

file

September 12, 2008

Must a data holder pay money if it is the victim of a data compromise? To that question the Connecticut Attorney General has a novel answer.

Background on Legal Liability

Few judicial decisions hold data holders liable for damages suffered by data subjects after a security breach. The best example of such a decision is Bell v. Michigan Council 25 AFSCME [Michigan Ct. of Appeals, unpublished op. 2/15/05]. It held a small labor union accountable to members who became victims of identity theft after a thief stole their Social Security Numbers (SSN) and other data from the union. The damages amounted to approximately a quarter million dollars.

That result required the union members to go to court and prove negligence.

Sometimes state legislatures enact a law that specifically requires a data holder to pay the costs of others in the wake of a breach. A good example of such a special law is Minnesota’s HF 1758 (Plastic Card Security Act), which sometimes requires credit card merchants to reimburse the costs of card issuers when they replace cards after a breach at the merchant.

Politician Demands Liability ... and That's Not Necessarily Good or Bad

Now, in a breach at Countrywide Financial Corp (owned by Bank of America), the Connecticut state attorney general seeks liability without the support of a court decision or special legislation. He did not sue in court.

It appears the AG has simply demanded, in public, that Countrywide agree it will compensate anyone hurt by the breach. Countrywide is a large company, vulnerable to public pressure like this. Countrywide has agreed, and the AG is seeking to get that agreement in writing.

A state attorney general is a politician charged with advancing the interests of consumers. Here, Attorney General Richard Blumenthal is doing that not through traditional legal proceedings, but through his bully pulpit.

Background: Countrywide suffered a breach when an employee downloaded records on as many as 2 million Countrywide customers/prospects and offered them for sale to mortgage brokers who wanted them for sales leads. E. Scott Reckard, “Mortgage firm Countrywide, in response to alleged data breach, offers free credit monitoring,” Los Angeles Times, Sept. 10, 2008. Countrywide says it has no evidence that anyone has suffered identity theft from this incident.

Update: The expansion of legal liability for compromises of e-data security will be a deterrent to the adoption of electronic medical records (aka personal health records or PHRs). As the new Obama administration promotes electronic healthcare records, doctor's offices and clinics will have reason to resist. The reasoning of medical offices could go like this: "The Department of Heath and Human Services says that if I implement e-patient records, I must implement reasonable safeguards to protect patient data. The implication is that if I make a mistake, I could be forced to pay money. Why should I expose my business to punishment by innovative privacy advocates like the Connecticut Attorney General? If a hacker invades or breaks into my e-records, an aggressive consumer advocate, like a plaintiff lawyer, might find a novel way to hold me liable. I'm better off with paper. If someone abuses my old-fashioned paper records, there is unlikely to be an audit trail of the incident (i.e., a smoking gun electronic log showing that the wrong person opened the file). Furthermore, the compromise of paper records is less sexy and newsworthy than the hacking of electronic records. Consumer watchdogs like the Connecticut AG are less likely to make a big deal out of a garden-variety story about an unauthorized person looking at paper records in a manila file folder." The federal government has not yet proposed measures for protecting the security of PHRs. Ben Worthen, "New Epidemic Fears: Hackers," Wall Street Journal, Aug. 4, 2009.

August 07, 2008

Federal Trade Commission Misunderstands Card Data Privacy.

Rethink PCI Law.

The TJX credit card data break-in is reputed to be the largest in history. On the heels of the incident, many credit card issuers replaced cards believed to be compromised. To replace cards is expensive (not to mention disruptive to consumers), and many card issuers demanded, through lawsuits and otherwise, that TJX reimburse them. December 2007 TJX settled one class action lawsuit with issuers of affected VISA cards, agreeing to pay $41 million. Dow Jones Newswires, "TJX Gets Over 95% Acceptance Of VISA Settlement Agreement," December 20, 2007. May 2008 TJX said it had support for settlement with Mastercard issuers for $24 million.

The Federal Trade Commission concluded that TJX had maintained inadequate controls to protect credit card data and had therefore committed unfair trade practices. Consequently, the Commission has punished TJX by requiring it to adopt new controls (in the vein of the PCI - Payment Card Industry Data Security Standard) and file extensive paperwork with the government for years to show that the controls are in place.

That's the background. Now think about this . . . August 2008 federal authorities announced indictments of the ring of criminals at the heart of the TJX heist. The ring had stolen data from both TJX and many other retailers. According to authorities, the criminals used stolen data to withdraw tens of thousands of dollars at a time from automated teller machines. Their ATM withdrawals added up to hundreds of thousands of dollars.

Do you see an imbalance here? TJX settles with VISA & Mastercard issuers for $65 million, whereas the actual reported fraud is only a tiny fraction of that amount. Further, when card issuers canceled all those cards, they alarmed and inconvienced millions of cardholders to excess.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.